Difference Between GlobalProtect Portal and GlobalProtect Gateway

Showing results for 
Show  only  | Search instead for 
Did you mean: 

Difference Between GlobalProtect Portal and GlobalProtect Gateway

L2 Linker

Read few of the docs but never understood the difference between the GP Portal and GP GW. Is there any way we can compare this with other vendor products and co-relate it? For example Cisco Anyconnect, Checkpoint Endpoint Security.

I wanted to know the actual difference and why few customers configure both Portal and Gateway.

Is it really necessary to configure both?


Sanjay S


L5 Sessionator

I don't know if you can really compare it to Cisco/Checkpoint, but yes both the Portal and the Gateway are required. The GP Portal is where the GP client connects to get its configuration data: client side settings/network restrictions and a list of which Gateways to connect to. The GP Gateway is where the GP client connects to establish the tunnel that client VPN traffic will actually flow over.


The reason these are separate is that the GP configuration point and the data point can be on completely separate interfaces or devices. So you can have one or more GP Portals that push different configurations to different clients with a set of preferred Gateways. Those Gateways can be scattered across the world with the client choosing the best Gateway for its connectivity. You can also have different Gateways for different types of clients, based on the Portal config, i.e. your corporate users go to one Gateway, your contractors go to a different Gateway, with the same Portal.


In most cases PA users are probably using a single Portal and Gateway setup. In my setup I have multiple PAs with 4 different public interfaces, each running a Portal and Gateway. End users being users... most people always select the first VPN Portal in their GP client. If you only had a single Portal/Gateway association then all the clients would be on the same public interface/PA. With multiple Gateways I can make the GP clients automatically load balance across all the available Gateways (and fail to a different Gateway if the primary is unavailable) regardless of which Portal the user selected. This also means that I can remove a Gateway from the Portal client config and have users automatically move off it (over time) to perform maintenance or test new configurations, without having to tell every end user to change their VPN Portal setup.

Thank you Adrian for the detailed information.

I believe GP Portal is very much similar to the XML profile in Cisco Anyconnect. As XML profile will control all user controllable settings of Anyconnect Client. GP Portal does the same in Palo Alto Global Protect Client. 

Hope my understanding is right now?


Sanjay S

L5 Sessionator

I am not familiar with Cisco Anyconnect (I have used Cisco ASA a tiny bit for site-to-site and user VPNs, but never did any user side config), but from your description I believe you are right. The GP Portal sets all the user side restrictions and options. There are a couple user configuration options through the GP Gateway (user VPN IP address, split tunnel networks, etc), but everything else comes from the GP Portal.


The basic config options for the user can be found under:

Network -> GlobalProtect -> Portals -> [portal_config] -> Agent -> [agent_config] ->

App - GP client settings including VPN mode (on-demand/always-on), Portal config lifetime, password policies, user bypass options, etc.

External - GP Gateways the client will connect to with preference/geolocation options

Internal - Internal network VPN bypass and internal gateways for HIP data collection


Network -> GlobalProtect -> Gateways -> [gateway_config] -> Agent -> Client Settings -> [client_config] ->

Authentication Override - whether to accept/generate cookies for overriding user authentication for Portal/Gateway login

IP Pools - IP subnet to allocate client VPN IPs from

Split Tunnel - Networks/domains to always split-tunnel and exclude from forcing through the VPN

Network -> GlobalProtect -> Gateways -> [gateway_config] -> Agent

-> Network Services - client DNS servers

Network -> GlobalProtect -> Gateways -> [gateway_config] -> Agent

-> Connection Settings - GP Gateway connection lifetime

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!